Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX DroneX dronex allows PHP Local File Inclusion.This issue affects DroneX: from n/a through <= 1.1.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion – potential for code execution
Action: Apply Patch
AI Analysis

Impact

An improper control of file names used in PHP include/require statements in ThemeREX DroneX 1.1.12 and earlier allows attackers to manipulate the file path argument, leading to local file inclusion. This flaw is classified under CWE‑98 and can give an attacker the ability to read sensitive files or execute arbitrary code if the included files are writable or contain PHP code.

Affected Systems

WordPress installations utilizing the ThemeREX DroneX theme with brand versions through 1.1.12 are impacted. No specific WordPress core or other theme versions are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity, while the EPSS score is less than 1 %, suggesting relatively low current exploitation probability. It is not listed in the CISA KEV catalog. The likely attack vector is remote, where an attacker supplies a crafted request or configuration value to the theme that is directly passed to a PHP include/require function. Successful exploitation could result in disclosure of system files or execution of arbitrary code, depending on the attacker’s needs and the server environment.

Generated by OpenCVE AI on April 15, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX DroneX theme to a version newer than 1.1.12 where the file name checks have been corrected
  • If an upgrade is not possible immediately, remove or deactivate the DroneX theme to eliminate the vulnerable code paths
  • Enforce strict validation or sanitization on any theme configuration inputs that determine file paths to prevent arbitrary file inclusion

Generated by OpenCVE AI on April 15, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex dronex
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex dronex
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX DroneX dronex allows PHP Local File Inclusion.This issue affects DroneX: from n/a through <= 1.1.12.
Title WordPress DroneX theme <= 1.1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Dronex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:22.722Z

Reserved: 2026-02-25T12:13:06.635Z

Link: CVE-2026-28009

cve-icon Vulnrichment

Updated: 2026-03-06T18:21:40.255Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.817

Modified: 2026-03-06T19:16:20.807

Link: CVE-2026-28009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses